SYNCLYTICS Privacy Policy

Effective Date: 2026-01-14

SYNCLYTICS ("we", "our", "us") respects your privacy. This Privacy Policy explains how we collect, use, and disclose information when you use our app SYNCLYTICS ("Software"), including beta versions.

Important: SYNCLYTICS does NOT collect, transmit, or store any personal information in identifiable form. All personal data (trainer names, operator names, employee IDs) remain stored locally on your device and are never transmitted to our servers.

Pseudonymised Operator Tracking: We use industry-standard HMAC-SHA256 cryptographic hashing to create pseudonymised operator identifiers. These hashed identifiers are transmitted to our servers for global performance analytics. While the hashing process is computationally one-way, we classify this as pseudonymised data under GDPR Article 4(5) because re-identification may be theoretically possible with additional information. We do not hold or have access to any information that would enable re-identification.

Privacy-Preserving Location Data: We use NASA/NSIDC EASE-Grid 2.0 to convert GPS coordinates to 10km × 10km geographic cells (100 km² areas). Raw GPS coordinates are never stored or transmitted - only coarse region identifiers are collected for regional analytics.

1. Personal Information

SYNCLYTICS does not collect, transmit, or store any personal information in identifiable form.

All personal data entered into the app remains stored locally on your device:

Trainer names and employee IDs
Operator names and employee IDs (original/unhashed)
Equipment asset IDs
Session notes
GPS coordinates (if enabled)

This information is never transmitted to our servers and remains entirely under your control.

1.1 Pseudonymised Operator Identifiers

We DO collect pseudonymised operator identifiers created using HMAC-SHA256 cryptographic hashing:

What is collected: A cryptographic hash (64-character hexadecimal string) derived from operator identifying information
Purpose: Enables global performance analytics across multiple devices/trainers while protecting operator identity
Legal classification under GDPR: This is pseudonymised data under Article 4(5), not fully anonymised data, because:
- The hashing process is computationally one-way but not mathematically irreversible
- Re-identification could theoretically occur with additional information not held by SYNCLYTICS
- SYNCLYTICS does not hold the information necessary to perform re-identification
Legal classification under Australian Privacy Act 1988 (as amended): We treat hashed identifiers as potentially falling within the definition of "personal information" and apply appropriate safeguards accordingly
Cross-device consistency: Same operator working with different trainers/devices generates identical hash, enabling aggregated performance analysis

Technical details: HMAC (Hash-based Message Authentication Code) with SHA-256 algorithm is an industry-standard, NIST-approved cryptographic function. While the hashing process is computationally one-way, we do not claim it provides absolute irreversibility.

Safeguards we apply:

We do not hold the source data that could be used for re-identification
We do not attempt to re-identify individuals from hashed identifiers
Access to hashed data is restricted and audited
Data is encrypted in transit and at rest

1.2 Privacy-Preserving Location Data (EASE-Grid 2.0)

We DO collect coarse geographic region identifiers using the EASE-Grid 2.0 standard:

What is collected: EASE-Grid 2.0 cell IDs representing 10km × 10km geographic regions (100 km² area)
Example: GPS coordinates (-31.9505°S, 115.8605°E) becomes cell ID "R-128C463" (Perth region, covers ~100 km²)
Purpose: Enables regional performance analytics without exposing precise locations
Legal classification: Due to the coarse resolution (100 km² cells containing multiple potential sites and thousands of individuals), we consider this data to be effectively anonymised and not personal information under GDPR or the Australian Privacy Act 1988 (as amended)
How it works: GPS coordinates captured on your device are immediately converted to EASE-Grid cell ID; original coordinates are discarded and never stored or transmitted
Standard system: NASA/NSIDC EASE-Grid 2.0 (EPSG:6933) cylindrical equal-area projection

Technical details: EASE-Grid 2.0 is a globally-recognised geographic grid system where every cell is exactly 100 km². Raw GPS coordinates are never stored in the database or transmitted to servers - only the cell ID (format: "R{row}C{col}") is retained.

Privacy characteristics:

Raw GPS coordinates never stored or transmitted
100 km² resolution prevents identification of specific sites
Optional - app continues without location if permission denied

1.3 Installation Identifier

We DO collect an installation identifier for device registration and session tracking:

What is collected: A randomly-generated UUID (Universally Unique Identifier) created on first app launch
Example: "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
Purpose: Links sessions from the same device installation for data integrity and subscription validation
Legal classification: Not personal information because:
- Randomly generated with no connection to device hardware (not IMEI, serial number, etc.)
- Cannot be used to identify individuals or specific physical devices
- Changes if app is reinstalled
- No linkage to personal identity

2. Data We Collect

We collect the following categories of data:

Pseudonymised Identifiers (treated as potentially personal information):

HMAC-SHA256 hashed operator IDs (64-character hexadecimal strings)
HMAC-SHA256 hashed trainer IDs (64-character hexadecimal strings)

Non-Personal Operational Data:

EASE-Grid 2.0 cell IDs (10km × 10km regions, format: "R{row}C{col}")
Random installation UUID
Equipment type (e.g., "Excavator", "Shovel")
Equipment manufacturer (OEM)
Equipment model number
Equipment capacity (bucket size in cubic metres)
Equipment rated payload (tonnes)
Stage durations (dig, swing, dump times in milliseconds)
Cycle durations (total time per load)
Bucket fill factor percentages
Tonnes per hour calculations
Material P80 fragmentation size (millimetres)
Material hardness ratings (soft, medium, hard, very hard)
Session duration and cycle counts
Session timestamps

What We Do NOT Collect:

Names of trainers or operators
Employee IDs (original/unhashed)
Equipment asset IDs or serial numbers
Company names or identifiers
Precise GPS coordinates or exact location data
Device hardware identifiers (IMEI, serial numbers, etc.)
IP addresses (not logged or stored)
Email addresses
Phone numbers

3. How We Use Collected Data

Collected data is used for:

Global Performance Analytics: Tracking cycle stage performance across multiple trainers/devices using pseudonymised identifiers
Regional Performance Trends: Analysing equipment efficiency by geographic region using EASE-Grid cells
Industry Benchmark Development: Creating performance baselines for different equipment types and operating conditions
Statistical Analysis: Understanding industry-wide efficiency trends
Software Improvement: Identifying common usage patterns to enhance features
Research: Contributing to mining equipment efficiency research (aggregated data only)
Aggregate Reporting: Publishing industry reports with aggregated, non-identifiable data

Example of Aggregated Data:

"Excavators operating in hard material (P80 800mm) average 18.5 seconds per dig cycle"
"Shovels with 34m³ buckets achieve 92% average bucket fill factor"
"EASE-Grid cell R-128C463 (100 km² region) shows 8.7% better efficiency than tropical regions"

4. Data Sharing and Disclosure

Personal Information: We do not share personal information because we do not collect it in identifiable form.

Pseudonymised and Operational Data: May be shared with:

Cloud hosting providers (AWS, Google Cloud, Render) for data storage and processing
Third-party analytics providers (for statistical analysis only, under data processing agreements)
Research institutions (aggregated data only, for academic studies on equipment efficiency)
Industry publications (aggregated benchmarks only)

Commercial Use of Data:

We may sell, license, or share pseudonymised operational metrics and aggregated analytics with third parties for commercial purposes
Such data will never include personal information in identifiable form
We do not share data in a form that could reasonably identify individuals or specific companies
Raw session data is not provided to third parties without appropriate safeguards and data processing agreements

5. Data Storage and Security

Local Storage (On Your Device):

All personal information is stored in an SQLite database on your device
You control this data through app export/delete features
Uninstalling the app deletes all local data permanently

Remote Storage (Our Servers):

Only pseudonymised identifiers and non-personal operational metrics are transmitted to our servers
Data is transmitted using HTTPS encryption (TLS 1.2 or higher)
Data is stored on secure cloud servers (AWS/Google Cloud/Render) with encryption at rest
Access to servers is restricted and audited

Technical and Organisational Measures:

We implement appropriate technical and organisational measures to protect information, including:

HMAC-SHA256 cryptographic hashing of identifiers before transmission
Industry-standard encryption for data transmission (TLS) and storage (encryption at rest)
Access controls and audit logging
Regular security reviews
Data minimisation (collecting only what is necessary)
Pseudonymisation of personal identifiers

While we implement reasonable security measures, no system can guarantee absolute security.

6. Your Rights and Control

Data Access:

You can view all captured sessions and metrics within the app
Data export (JSON/CSV format) is available with an active subscription

Data Deletion:

Uninstalling the app deletes all local data from your device
Server-side data cannot be deleted on request because pseudonymised identifiers cannot be linked back to specific individuals - we have no way to identify which data belongs to you

Data Portability:

Export your data in JSON or CSV format (requires active subscription)

Data Collection:

Data upload is required to use the app
By using the app, you agree to the collection of pseudonymised operational metrics as described in this policy

Rights Under Australian Privacy Act 1988 (as amended):

If you are in Australia, you have the right to:

Request access to any personal information we hold about you
Request correction of inaccurate information
Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Australian Privacy Principles

Rights Under GDPR (if applicable):

If GDPR applies to you, you have the right to:

Access your personal data
Rectification of inaccurate data
Erasure of your data ("right to be forgotten")
Restriction of processing
Data portability
Object to processing
Lodge a complaint with a supervisory authority

To exercise any of these rights, contact us at support@synclytics.tech.

7. Legal Basis for Processing

Under GDPR (if applicable):

Legitimate Interest (Article 6(1)(f)): We have a legitimate interest in collecting pseudonymised operational metrics for software improvement, industry benchmarking, and research. We have conducted a balancing assessment and determined that our processing does not override your rights and freedoms, particularly given the pseudonymisation measures we apply.
Consent (Article 6(1)(a)): By using the app, you consent to the collection of pseudonymised operational metrics.

Under Australian Privacy Act 1988 (as amended):

We collect and handle information in accordance with the Australian Privacy Principles (APPs)
Collection is reasonably necessary for our business functions (APP 3)
We take reasonable steps to protect information from misuse (APP 11)

8. International Data Transfers

Pseudonymised operational metrics may be stored on servers located outside Australia (e.g., AWS US, Google Cloud EU). These transfers are subject to:

Standard contractual clauses or equivalent safeguards for data protection
Compliance with GDPR requirements for international transfers (if applicable)
Compliance with Australian Privacy Principle 8 (cross-border disclosure)
Encryption during transmission and storage

9. Data Retention

On Your Device:

Data remains indefinitely until you delete it or uninstall the app

On Our Servers:

Pseudonymised operational metrics are retained for 5 years for benchmarking purposes
After 5 years, data is deleted or further aggregated such that individual sessions cannot be distinguished
Earlier deletion is not possible as we cannot identify which data belongs to specific users or devices

10. Children's Privacy

SYNCLYTICS is not intended for use by children under 16 years of age (or the applicable age in your jurisdiction). We do not knowingly collect data from children. Due to our pseudonymisation approach, we cannot identify or delete data from any specific individual, including children. Parents and guardians are responsible for ensuring children do not use the app.

11. Third-Party Services

SYNCLYTICS integrates with the following third-party services:

Infrastructure Providers:

AWS (cloud hosting and storage)
Google Cloud (cloud hosting and storage)
Render (cloud hosting and storage)

Communication Services:

Resend (feedback email delivery)

These providers process data under data processing agreements and are bound by their own privacy policies.

We do NOT use:

Advertising networks
Social media tracking pixels
Behavioural analytics platforms (e.g., Mixpanel, Amplitude)
User profiling services

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect:

Changes in legal requirements
New features or data collection practices
Improvements to our privacy practices

How You'll Be Notified:

Updated effective date at the top of this document
In-app notification of material privacy policy changes
Continued use of the app after updates constitutes acceptance of non-material changes

Material Changes:

If we make material changes that affect your rights (e.g., collecting new categories of personal information), we will:

Provide prominent notice in the app
Where required, request your consent before implementing changes
Offer opt-out options where appropriate

13. Contact Us

For privacy questions or concerns:

Email: support@synclytics.tech

Response Time: We aim to respond to privacy enquiries within 30 days, as required by Australian law.

Summary

We DO collect: Pseudonymised operator/trainer identifiers (HMAC-SHA256 hashes) + coarse location data (EASE-Grid 10km × 10km cells) + equipment performance metrics + random installation UUID

We DO NOT collect: Names, employee IDs (original/unhashed), equipment asset IDs, company info, precise GPS coordinates, device hardware identifiers, or other directly identifying information

Your personal data: Stays on your device, never transmitted to our servers in identifiable form

Identifier protection: HMAC-SHA256 hashing provides pseudonymisation (not full anonymisation) - we treat hashed identifiers with appropriate safeguards

Location privacy: GPS converted to 10km × 10km grid cells (100 km² areas) - raw coordinates never stored or transmitted

Why we collect data: To build industry benchmarks, enable regional analytics, and improve the app

Security: Industry-standard cryptographic hashing, encryption in transit and at rest, access controls

Your control: Export or delete local data at any time